Curiosity Killed the Cat 5 Network

Last year, i wrote a technical article entitled 'Social Engineering: Penetration Testing the Human Element' to Pentestmag.com which focused on the process of social engineering assessment using the art of deception and how easy it could be with simply a smile accompanied by an act of confidence.

In the book by Kevin Mitnick, 'The art of deception', he dives deep into that art and shares the tricks he used to deceive people into giving him vital information. Not only did he succeed into tricking the common employees, he also managed to trick security administrators, managers, CIOs and other people holding top position in organizations.

Then again, not many can be as charming, as confident and as cunning as Kevin be it from tele conversation or face to face meetings. Thats when hackers use the art in other forms; from cloning a website and hoping someone fall for it (phishing) to sending malicious links or attachments via emails and crossing their fingers hoping someone clicks on it.

Earlier this month, KrebsonSecurity reported that the famous hack and breach at Target could be the result from an email attack, a malware-laced email phishing attack sent to employees.[1]

These trend of users easily falling prey to social engineering tactics even led to a vendor suggesting to punish careless employees to reduce security breaches. [2]

Looking back at the past, the spread of malware such as the famous 'I love you' virus, the 'Melissa' and the 'Zeus' viruses were all being spread via invoking the curiosity of humans. A single click. Thats all it takes.  And thanks to this curiosity, those viruses managed to spread over 50 million computers worldwide. Even important organizations such as the Pentagon, the CIA and the British Parliament were not spared. [3]

Employees play a huge role in ensuring the security of the organizations. 

Organizations may have placed the best security mechanism to block from any external intrusion but if one thing hackers learn from history is that they have evolved into attacking the human curiosity first because it is much easier to fool a person than a system. Like i wrote above, one click is all it takes to bring the organization down to its knees. 

To quote the security rockstar Bruce Schenier, "Amateurs hack systems. Professionals hack people." 

References:

[1] http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/

[2] http://www.csoonline.com/article/746986/punish-careless-employees-to-reduce-security-breaches-vendor-says

[3] http://support.pandasecurity.com/blog/malware/virus-iloveyou/